英文:
splunk how to extract object to table
问题
例如事件
{
"test": {
"x": "y",
"a": "b",
"code": {
"one": {
"two": {
"c": "d"
}
}
}
}
}
我该如何提取`code`块的某些部分并将它们呈现为表格。例如
one | c
我尝试组合一个查询,但不确定如何提取特定字段
| spath
| spath test.code{} output=code
| mvexpand code
<details>
<summary>英文:</summary>
example event
{
"test": {
"x": "y",
"a": "b",
"code": {
"one" : {
"two": {
"c": "d"
}
}
}
}
}
how can I extract some parts of `code` block and present them as table. example
one | c
I have tried putting together a query but not sure how to extract specific fields
| spath
| spath test.code{} output=code
| mvexpand code
</details>
# 答案1
**得分**: 1
| makeresults
| eval _raw="{
\"test\": {
\"x\": \"y\",
\"a\": \"b\",
\"code\": {
\"one\" : {
\"two\": {
\"c\": \"d\"
}
}
}
}
}"
| spath test.code output=code
| table code
| spath input=code
这里的关键思想是 input=code,Spath 命令以 input 作为选项参数,用于指定要从中提取值的 JSON 字段。
给出的示例的结果如下图所示:
[![查询结果][2]][2]
[1]: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath
[2]: https://i.stack.imgur.com/Y63TO.png
<details>
<summary>英文:</summary>
| makeresults
| eval _raw="{
\"test\": {
\"x\": \"y\",
\"a\": \"b\",
\"code\": {
\"one\" : {
\"two\": {
\"c\": \"d\"
}
}
}
}
}"
| spath test.code output=code
| table code
| spath input=code
the key idea here is the input=code,
Spath command takes input as an option argument for which field to find the json to extract the values from. [Spath link][1]
the results from the example given are:
[![Results from query][2]][2]
[1]: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath
[2]: https://i.stack.imgur.com/Y63TO.png
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论